[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

Simo Sorce simo at redhat.com
Tue Nov 24 21:17:28 UTC 2015 

On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote:
> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
> > Since some time we use the getkeytab operation to fetch keytabs on newer
> > clients. According to bug #232 setkeytab can be used to circumvent
> > password quality controls so it needs to be slowly retired.
> > 
> > The attached patches implement #5485 in 2 parts.
> > 
> > The first introduces the option DisableSetKeytab which globally disables
> > the setkeytab extended operation. This is set to false by default for
> > backwards compatibility.
> > 
> > The second introduces an option called DisableUserSetKeytab, which is
> > active by default in new installs (but not in upgraded ones), and only
> > disables the use of setkeytab for ipa suers, but not for hosts/services.
> > This is because user's are the ones that may abuse the interface to
> > escape password policies and users also normally do not acquire keytabs,
> > so it is a safe bet to disable just them by default in new installs.
> > 
> > (Testing in progress)
> 
> Tested and working as expected.

I realized that adding options to ipaConfig require to add them in the
UI as well, attached patches add options in API.txt and config.py
Make now complain I should change API Major or Minor, but it is not
clear to me why given this are additional values and no real change or
new function is introduced. What's the recommendation ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-556-2-Introduce-option-to-disable-the-SetKeytab-exop.patch
Type: text/x-patch
Size: 5183 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151124/efd28825/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-557-2-Disable-User-s-ability-to-use-the-setkeytab-exop.patch
Type: text/x-patch
Size: 6930 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151124/efd28825/attachment-0001.bin>

More information about the Freeipa-devel mailing list